The Showroomprivé iOS app is hooked on trackers
After analyzing Fnac, let's now look at another French e-commerce site, a competitor of Veepee (the private sales leader, formerly vente-privee.com): Showroomprive. To analyze its iOS app, I followed these steps:
- Close the various background applications.
- Launch Charles Proxy and enable tracking.
- Launch the Showroomprive application, then browse the app: I looked at a few products.
- Export the logs from my Charles Proxy session to my computer, so I could easily analyze the requests sent by Showroomprive.
Here are some companies that track you during your purchases on Showroomprive:
- Google : via its developer toolbox Firebase, Showroomprive uses Crashlytics (crash tracking) and Firebase Remote Config, which lets it personalize the app without redeploying it. No directly identifying personal information is sent here (unlike with Bolt), but identifiers are sent: pseudonymized data for which Showroomprive should inform you and ask for your consent.
- Facebook : via its developer toolbox used by Showroomprive, the American giant knows about your private-sale browsing, even if you do not have a Facebook account. Here again, Showroomprive provides no information.
- FollowAnalytics : via the domain follow-aps.com. A French analytics and targeted campaign tool (push notifications and in-app messages).
- Adjust : another mobile analytics and marketing tool. Here Showroomprive leaks CRM data: your gender, your number of orders, your RFM score, the total amount of your orders, etc.
- Mediarithmics : a French company offering an advertising space purchasing platform and a data management solution (profiling you better in order to target you better). Here, Showroomprive leaks your CRM data and your navigation in the app, but also much more sensitive data such as your email address, postal code or date of birth.
- Accengage : a French push notification tool acquired in 2018 by the mobile marketing company Airship. Here Showroomprive leaks your email address.
A vague privacy policy
Since Showroomprive does not directly inform its customers about the way it allows third parties to track them, let's read the Showroomprivé privacy policy. In section 5, “Recipients of your Personal Data”, we can read:
The recipients of your Personal Data are as follows: [...] Our service providers in charge of carrying out analyses and segmentations, marketing and commercial studies and personalized advertising campaigns
The customer therefore still has no information about the identity of the recipients or the personal data transferred.
Limited control over trackers, well hidden
By browsing the settings of the Showroomprivé app, I managed to find the page that lets you configure tracking. You have to go to “Account”, then “My personal information”, and finally “Manage my data”:
By default, everything is allowed. Here again, no information is given about the identity of the recipients or the personal data transferred. However, if we uncheck all the boxes, we can observe a reduction in trackers.
The Mediarithmics and Accengage trackers, which notably retrieved my email address, are no longer triggered. On the other hand, Showroomprive still leaks my identifiers to Google and Facebook, so it is impossible to deactivate the services of the heavyweights of generalized surveillance.
Mediarithmics, provider of tracking tools, shifts responsibility to its customers
We had already seen in a previous article how Fnac leaked your personal data to Mediarithmics and Accengage, two French “data marketing” companies. As part of the Gravity alliance (150 French sites that exchange your personal data), Fnac leaked a hash of your email address and your journey on the site to Mediarithmics.
Here, Showroomprive goes "further" by leaking your email address in plain text to Mediarithmics. What does Mediarithmics' "Personal data protection charter" say? In summary:
- The client (Showroomprive) must inform users and obtain their explicit consent before collecting the data (Showroomprive does not respect the contract: no information or explicit consent, only a hidden opt-out).
- Mediarithmics does not cross-reference the data of its different clients (no cross-referencing between Showroomprive and the Gravity Alliance, for example).
- Rights of access, rectification, objection or deletion concerning my personal data must be exercised directly with Mediarithmics' customers (Showroomprive).
In short: Mediarithmics washes its hands of the matter; Showroomprive is responsible. Here is the data Mediarithmics authorizes itself to collect on behalf of its clients:
Mediarithmics provides the "weapon" and leaves Showroomprive responsible for obtaining its customers' consent upstream. For its part, and as already seen with the Fnac example, Accengage does not even indicate that it may collect personal data such as an email address.
The Showroomprive website leaks your personal data when you are not logged in
As we have just seen, Showroomprive leaks your personal data without your consent on its iOS app. What about its website? Let's look at the requests exchanged when I browse the Showroomprive website from Chrome, still with Charles Proxy, but this time the desktop version (after disabling my ad blocker and deleting cookies):
Before you can even click on the “cookie banner” at the bottom of the page, Showroomprive sends your personal data to Google and Facebook, in violation of the GDPR. The "cookie banner" points to the privacy policy. To manage your data, you must log in to Showroomprive (reminder: you have already been tracked by Google and Facebook, and there is no going back).
When you log in after previously unchecking all the tracking options ("Account" > "My personal information" > "Manage my data"), Showroomprive does not trigger additional third-party tracking (so no Google or Facebook, unlike on the iOS app). But when you log out, unsurprisingly, the Google and Facebook trackers are triggered again.
